Cisco Confirms Arrest In Theft Of Its Code

spafbnerf writes "Informationweek is reporting on Cisco Systems' confirmation of an arrest in connection with the theft of its IOS 12.3 source code last year. On Tuesday, The New York Times reported that federal officials and security experts have acknowledged that the theft of the Cisco source code was part of a wider pattern of thousands of attacks on military and research computers perpetrated by an unknown number of individuals." From the article: "The FBI fully recognizes the inherent sophistication and global nature of intrusion investigations...As such, we have worked hard to develop strong partnerships within the international law-enforcement community. In this case, we have been working closely with our international partners to include Sweden, Great Britain, and others. As a result of recent actions, the criminal activity appears to have stopped."

do they believe it themselves?

[nietsch]

As a result of recent actions, the criminal activity appears to have stopped.

I read that as: "As a result, the criminals have realised they were being watched and have cleaned up their act, and have made sure they are not noticed by 'them' anymore.

Now on to the FA.

Don't they WANT it secure?

[mreed911]

From TFA: "The stolen code was a portion of Cisco's Internetworking Operating System version 12.3. The incident has been a matter of concern because malicious hackers might find flaws in the code that could be exploited to impair the functioning of Cisco's routers."

Translation: We don't have time to QA this code, so we'd rather not have anyone do it themselves, either, then hack us with the holes we neglected to look for in the first place.

Ugh. Sometimes I wonder if there ought to be an open-source REQUIREMENT in RFP's to vendors. Hell, code availability has HELPED Linksys (who's also Cisco!) - folks have "hacked" it to make it MORE robust, but you don't see any greater number of "hacks" for Linksys products than you do for anyone else...

Maybe Cisco ought to focus on the security BASICS (it's still easiest to get into some else's network because they never changed the default password than it is to script-kid some mutated hack into working) rather than worrying that "outsiders" might actually harden their products FOR them...

Re:Don't they WANT it secure?

Do you have any idea what it's like to maintain a codebase for something as enormous and complex as IOS?

I'm really growing tired of people blindly presenting the position that EVERYTHING would be better open-source.

Look at the number of security vulnerabilities over the last 5 years for the Linux kernel. Now look at the vulnerabilities over the same 5 years for Cisco IOS.

Simply having something opensource does not imply that the end result will be more secure. And the prospect of having something like IOS being audited by criminals (at least intelligent ones) is almost a guarantee that at some point large chunks of the Internet will go down. That's not a chicken little attitude - it's just reality.

Also for what it's worth, as someone who worked on this particular case, it *is* a huge relief that "the criminal activity has stopped". In case you didn't know, this particular 'kid' and his friends had upwards of 100,000 accounts across every major university, government lab, company, and military branch you can think of. A certain super-computing facility was one of the earliest compromised networks and password collectors ensured that these attackers got accounts all over the world.

And for the love of God, don't even think of playing the "well they deserved it because they weren't secure" card. That's one of the biggest screwball concepts I've ever heard of, and my typical response is that with that logic it would be fine that if you just *once* forgot to lock the door to your home, that I would then have every 'right' to go into your home, trash it, and burn it to the ground. Or even better - you *do* lock your doors, but some clever thief got his hands on the plans for your particular Schlage lock and picks it. Does that make you or Schlage incompetent idiots? No.

It's an arms race, people. Nobody is going to win, but don't belittle the people who put their life's work into trying to at least slow down the bad guys just so you can have an Internet around to read slashdot and post what you perceive to be extremely cogent arguments on something you don't know the first thing about.

Yes: and that's why they arrested the boy

From TFA: "The stolen code was a portion of Cisco's Internetworking Operating System version 12.3. The incident has been a matter of concern because malicious hackers might find flaws in the code that could be exploited to impair the functioning of Cisco's routers."

Translation: We don't have time to QA this code, so we'd rather not have anyone do it themselves, either, then hack us with the holes we neglected to look for in the first place.

Well, if security isn't a concern in our daily lives; why should computers be somehow different?

If someone steals a master key from GM, he goes to jail; he isn't charge just with petty theft, even if he doesn't attempt to use the key himself. The authorities (police and lawmakers) don't want that kind of information (how to make a master key) getting out. They don't blame GM for having a common exploit available in a large range of vehicles: they blame the guy who tried to obtain the forbidden knowledge.

Similarly, they arrested a boy who gained forbidden knowledge that could be used to damage Cisco routers, if those routers aren't secure. Cisco is not held liable for any insecurities in their routers: and this is consistant with legal tradition.

The fact is, cars are not secure, and GM isn't expected to accept liability for that. They're stolen every day, and the existance of master keys doesn't help much. Even without that, there are many are well-known classes of attacks by which thieves can compromise vehicle security.

There's the "smashed windshield" attack, the "lockpick" attack, the "hotwire the engine" attack and many others. Tactics range from "social engineering" tricks (like lying to the valet to get the keys) to sheer brute force methods (such as clubbing the driver over the head, and stealing his car).

The automotive industry hasn't dealt with this problem by manufacturing significantly more secure vehicles. Instead, it relies upon the police to enforce the laws against people who would take advantage of these exploits.

Similar attitudes are seen in the housing industries (most windows aren't made of bulletproof glass), and in fact, in most industries where security is a concern. Security is expensive: and we're already paying for a police force to ensure that criminals aren't lurking about. [1]

Within the computer industry, some programmers seem shocked that security is a low concern: and yet, they go home to places with breakable glass in the windows. There's an exploit for that, too: it's called a "flying brick attack", and it's nastier than your average DDOS...

In short, they arrested the boy, because it's consistant with what the laws say, and with what the police do. If you want to change that, talk to your local politicans...
--
AC

[1] I didn't say it was working... just that the concept was there...